From c7ef44803501b0204f71ab81d577a1c0e7b760fc Mon Sep 17 00:00:00 2001 From: Suramya Shah Date: Fri, 23 Feb 2018 11:15:27 +0530 Subject: [PATCH] Consolidate identity-token-binding.rst Consolidate from configuration.rst into identity-token-binding.rst Change-Id: Id62e7a245b8cf1c751e21395a30fee340d5bfbe0 --- doc/source/admin/identity-token-binding.rst | 3 ++ doc/source/configuration.rst | 42 --------------------- 2 files changed, 3 insertions(+), 42 deletions(-) diff --git a/doc/source/admin/identity-token-binding.rst b/doc/source/admin/identity-token-binding.rst index 82a7c837ba..34dbc2f919 100644 --- a/doc/source/admin/identity-token-binding.rst +++ b/doc/source/admin/identity-token-binding.rst @@ -62,3 +62,6 @@ option to one of these modes: [token] enforce_token_bind = x509 + +*Do not* set ``enforce_token_bind = named`` as there is not an authentication +mechanism called ``named``. \ No newline at end of file diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index a77e9532c3..e5e7c260f3 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -457,48 +457,6 @@ See `API Specification for OAuth 1.0a `_ for the details of API definition. - -Token Binding -============= - -Token binding refers to the practice of embedding information from external -authentication providers (like a company's Kerberos server) inside the token -such that a client may enforce that the token only be used in conjunction with -that specified authentication. This is an additional security mechanism as it -means that if a token is stolen it will not be usable without also providing -the external authentication. - -To activate token binding you must specify the types of authentication that -token binding should be used for in ``keystone.conf`` e.g.: - -.. code-block:: ini - - [token] - bind = kerberos - -Currently only ``kerberos`` is supported. - -To enforce checking of token binding the ``enforce_token_bind`` parameter -should be set to one of the following modes: - -* ``disabled`` disable token bind checking -* ``permissive`` enable bind checking, if a token is bound to a mechanism that - is unknown to the server then ignore it. This is the default. -* ``strict`` enable bind checking, if a token is bound to a mechanism that is - unknown to the server then this token should be rejected. -* ``required`` enable bind checking and require that at least 1 bind mechanism - is used for tokens. -* named enable bind checking and require that the specified authentication - mechanism is used. e.g.: - -.. code-block:: ini - - [token] - enforce_token_bind = kerberos - -*Do not* set ``enforce_token_bind = named`` as there is not an authentication -mechanism called ``named``. - Limiting list return size =========================